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linear tranaf ormation for syrnmetric-lcBy ciphers 



The invention relates to a method of generating a linear transformation for uso 
in a symmetric-key cipher based am a binary eifor-conecting code. 

The application of cryptography in the area of copyright protection of digital 
5 audio and/or video is becoming increasingly important. These applications include contents 
encryption/decryption and access management functions. For such applications block ciphers 
can be used. A well-known family of block ciphers are Feistel ciphers. In a F&stel cipher, die 
input data block is processed in a number of rounds. In each round, the two sub-blocks 
(halves) of the block are operated on differently. A first sub-block is combined with the 

10 output of a round function; the second sub-block is left unmodified. At the end of the round, 
the two sub-blocks are swapped, ensuring that the unmodified sub-block will be processed in 
the next round. The round function takes as input the second sub-block and a round key. 
Normally, the round function combines the round key with the second sub-block, for instance 
using an XOR operation. Additionally, the round function performs a non-linear operation 

IS and a linear transformation on the second sub-block. Typically, the non-linear transformation 
consists of a substitution box (S-box) layer, consisting of a number of S-bbxes operating in 
parallel on smaller sub-blocks of, for instance 4 to 8 bits. After the S-box layer, a linear 
operation ensures that a proper diffusion occurs so that bit changes caused by the individual 
S -boxes are propagated oyer as many as possible S-boxes in the next round(s). 

20 A well-known example of a Feistel cipher is DBS, consisting of sixteen. _ 

rounds. In each round, first the 32 bits of tbe tight half of the data are expanded to 48 bits. 
Next, an 48 bit round key, which is computed from a 56 bit DBS key with a key scheduling 
algorithm, is bit-wise added modulo two to diss© 48 bits. Then a layer of S-boxes performs a 
non-linear operation on the data, hi DBS, the S-box layer consist of eight six-to-four bit S- 

25 boxes in parallel, Le. each of the S-boxes converts a 6-bit input block into a 4-bit output 

block using one fixed mapping table per S-box. The output of the S-box layer is a 32 bit data 
block The linear transformation, which is performed on this 32 bit data block, is a bit- 
permutation, which ensures that bit changes caused by an S-box are propagated over many 
other ones in the following round(s). A drawback of DBS is its small key size of 56 bits, 
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which is considered to be insufficient nowadays fox offering a high level of security. 
However, an exhaustive key search can be avoided by using a longer lay combined with a 
different key scheduling algorithm for computing the sixteen 48-bit round keys. The two 
most powerful attacks on DES published in the open literature are differential and linear 
5 cryptanalysis, which are general attacks that can be applied to a wide range of block ciphers. 
It has been shown that DES can not bo strengthened much against these attacks by modifying 
the key length and/or the key-scheduling algorithm. However, changes in the round function 
of the algorithm can influence its strength against these attacks considerably. 

For the linear transformation, it is desired that the transformaticm has good 

10 diffusion properties. Recently, S. Vaudenay proposed to use linear error-correcting codes for 
constructing linear transformations, a description can be found in "On the Need for Multi- 
Pexxnutations: Cryptanalysis of MD4 and SAFER.* 1 , Fast Software Encryption (2™*), LNCS 
1008, Springer, 1995, pp. 286-297. The diffusion properties of the linear transformation are 
associated with the minimum Hamming distance of the corresponding eiror^orrecting code; 

IS the higher this distance, the better the diffusion properties of the associated linear 

transformation matrix. Vaudenay proposes mo use of Maximum Distance Separable (MDS) 
codes over finite fields, which teach the so-called Singleton bound and therefore provide 
optimal diffusion. However, mis construction has the disadvantage mat the resulting linear 
transformation contains additional mathematical structure, e.g. linearity over the finite field 

20 (and all its sub-fields) mat was used for the construction, which could be exploited in 
cryptanalysis. ! 

It is an object of the invention to provide an invertible linear transformation, 
represented by a non-singular binary matrix, for use in symmetric-key ciphers with 
guaranteed optimal diffusion characteristics on bit-level based on an optimal binary linear 

25 cixoi>coiTecting code. This transformation has the advantage over the MDS construction that 
it is more irregular, in the sense that additional mathematical structure of the resulting linear 
transformation which could be exploited in cryptanalysis, is avoided. 

To meet the object of the invention, a matrix derived from an error-coirecting 
30 code is extended with a number of columns such that the length of the code equals twice the 
dimension and the resulting matrix, which can be used as the basis for the linear 
transfonnation, is non-singular. This avoids attacks based on the non-uniformity of the round 
function. 
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As defined in the measure of the-dependent claim 2 t the new columns can be 
(pseudo-)randomly generated in order to find suitable columns. 

As defined in the measure of thodcpendent claim 3, the matrix C is permuted 
to find a linear transformation matrix with the associated linear enotr-correcting code having 
5 a predetermined multi-hit weight. As defined iii the measure of the dependent claim 4, this 
multi-hit weight ensures proper diffusion over the S-boxes of the cipher. For instance, for an 
S-box layer consisting of a number of S-boxes operating in parallel, in which each S-box 
provides an m-bit output, it is relevant to look at the diffusion of m-bit parts of the words in 
die associated binary eaarar-correcting code, which can be expressed in the "i fo^im m-bit 
10 weight over all non-zero codewords. 

These and other aspects of the invention will be apparent from and elucidated 
with reference to the embodiments shown in the drawing. 

Figure 1 shows a block diagram of a cryptographic system; 
15 Figure 2 shows one round of a cipher incorporating the linear transformation; 

Kgure 3 illustrates the steps of the round function; 
Figure 4 shows a preferred arrangement of an S-box construction; and 
Figure 5 shows the steps of generating the linear transformation matrix. 

20 For the purpose of explaining the invention, the cryptographic system, wherein 

the linear transformation is used, is described as a block cipher in the Electronic Codebook 
(ECB) mode. Persons skilled in the art will be able to use the system in other modes as well. 
These include the standard FIPS modes of operation for DES, i.e. the Cipher Block Chaining 
(CSC), the Cipher Feedback (CFB) and the Oiitput Feedback (OFB) mode of operation. In 

25 addition, the system can also be used in well-known constructions for pseudo-random 
number generators, Message Authentication Codes (MACs) and Manipulation Detection 
Codes (MDCs). 

Figure 1 shows a block diagram of an exemplary cryptographic apparatus 100. 
The cryptographic apparatus 100 comprises an input 110 for obtaining a digital input block 
30 X. The digital input block X may be any suitable size. The apparatus further comprises a 
cryptographic processor 120 for converting the digital input block X into a digital output 
block E(X), Advantageously, the digital output block has substantially equal length as the 
digital input block. The apparatus 100 comprises an output 130 for outputting the digital 
output block. In a preferred embodiment, the cryptographic processor converts the digital 
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input block into the digital output block by merging the digital input block with key bits K, 
producing the output block ECX, K) which non-linearly depends on the input block X and the 
key K. To obtain the Key (or an initial key feeding a key scheduler), the cryptographic) 
apparatus comprises a second input 140. It will be appreciated that the cryptographic appar- 

5 atus may be implemented using a conventional computer, such as a PC, or using a dedicated 
encryption/decryption device. The digital input block may be obtained in various ways, such 
as via aconimunicarion network, from a data storage medium, such as aharddiskor floppy 
disk, or directly being entered by a user. Similarly, the digital output block may be output in 
various ways, such as via a commumcation network, stored on a data storage medium, or 

10 displayed to a user. Preferably, secure means are used to this end. The cryptographic 

processor may be a conventional processor, such as for instance used in personal computers, 
but may also be a dedicated cryptographic processor. The processor is usually operated under 
control of a suitable program (firmware) to perform the steps of the algorithm according to 
the invention. This computer program product Js normally loaded from a background storage, 

15 such as a hatddiak or ROM. The computer program product can be stored on the background 
storage after having been distributed on a storage medium, like a CD-ROM, or via a network, 
like the public Internet Sensitive iiiformation, like an encryption key, is preferably 
distributed and stored in a secure way. Techniques for doing so are generally known and not 
described runner. The cryptographic apparatus may, in part or in whole, be implemented on a 

20 smart-card. 

The linear transformation according to the invention performed by the 
cryptographic processor will be described in the form of a round function/in a block cipher 
as an exemplary application, in itself, persons skilled to the art will be able to wo the linear 
transformation in other cryptographic systems as well, and in other ciphers than me one 
25 described m detail below. 

Notations and definitions 

The following notation is used in the description of the exemplary algorithm. 

Let Z2 B be the set of all binary vectors of length n (n 5: 1) with the addition 0 : Zs" * Zs*-» 
30 Za B , which is defined as a coordinate-wise addition modulo 2 (also referred to as an 

exclusive-or, or XOR). For example, (l,0,l,0)and (0,1,1,0) are dements of Z2 4 and (1,0,1,0) 
@ (0,1,1,0) = (1,1,0,0). Moreover, the scalar multiplication Zz x -> Z/ is defined as 1 

• x = xand0-x = (0,0 0)6 Z/ for all x € Z/.E nis even andx € Za\ then x w S 2a 7, 

and x w s T^ 1 axe. defined as the left and the right half of x respectively. For example, if x = 
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(1,0,1,1,0,0,1,0) e Z2 8 , then = (1,0,1,1) s Za 4 and x® = (0,0,1,0) s Z^. The symbol |[ is 
used to denote a concatenation of vectors, e.g. x - (x^ || x* 8 *). The elements (also called bits) 
of a vector x e %t ate numbered from zero to n-1 from the left to the right, i.e. x =: (XqMJv, 
... pc^i). The Harnming distance da-.ZaxZ^T+Z between two elements x e Z^andye 
5 Zj* is defined as die number of coordinates in which the two vectors differ, i.e. dn(x,y) » #{ 
xi 5* yi I i = 0,1, ... ,n-l}. Tho Hamming woight wg : Zz 1 -* Z of an element x e Za* is defined 
as the number of non-zero coordinates, i.e. ws(x) « #{ Xj # 0 1 i =» 0,1, ... ,n-l }, 

The set of k x m matrices (k,m £ 1) over Ze is denoted by Z^***. The k x k 
identity matrix over Z3 is denoted by I*. The symbol || is also used to denote a concatenation 
10 of matrices with an equal number of rows, e.g. if A s Z2**andBe Za a * <8 flienC:Es(A||B) 

A binary error-correcting codo C of (block) length n is a linear subspaoe of 
Zz. The elements of mis subspaca are referred to as codewords. If the dimension of the 
subspace is k then C is called an [n,k] code. Such a code can be represented by a generator 

IS matrix G € Z3 00 , for which the rows form a basis for C, i.e. c - (mO | e zf) . The 

TPinitiimTn distance d of the code is defined as the minimum over all distances between any 
two distinct codewords, i.e. d ■ min{d H (x,y) | x,y e C and x * y}. An [n,k] code with 
minimum Hamming distance d is also refected to as an [njc,d] code. Note that da(x,y) s Wh(x 
© y), which implies that the ™inirrmm Hamming distance of a linear code equals the 

20 minimum Hamming weight over all non-zero codewords. 

Block cipher structure 

The exemplary block cipher is a Feist el cipher and consists of sixteen rounds 

dike DBS). The block length equals 64 bits and the key length equals 126 bits. Encryption in 
25 Electronic Codebook (ECB) mode of a plaintext X e Za 54 into its ciphcrtext C e Z2 64 under 

the key Ke Z2 128 is denoted by C = E(&X), 

The round function is denoted by/ and is a mapping from Z3 40 x Z3 32 to Za 32 . 

This round function incorporates the linear transformation of the invention and will be 

described in more detail below. The first input. argument of the round function is the round 
30 key Ki e Z2 40 (where i indicates the round number, i = 1, 2, 16). These round keys are 

computed from the 128 bit key K with a so-called key scheduling algorithm. Any suitable 

key scheduling algorithm may be used and is not described in detail. The second input 
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argument is the ri^b^ of intermediate result aftex round i.TMsmtenM ' 
denoted by XiS fe*CWU, ... ,16)wifoX=:(Xa«||Xo<»). 

With this notation the computation of the ciphertext C € Z&* consists of the 
following steps, as illustrated in Figure 2: 

5 

1. Coo^teXiW-^We^^j^aadflistXiWaXi,^ fori = 1,2 15. 

2. Compute X ltf <W=X 4 s <w ©/CKi6,Xw (H) ) and set X K W s Xis w . The ciphertext is defined 
aaC^^JIXw®) 

10 Kg. 2A shows the cipher structure used for die first fifteen rounds (i » 1, 2, 

15). Fig. 2B shows the last, sixteenth round. Note the irregular swap in Fig,2B compared to 
the previous rounds of Fig.2A. This is usually done in Feistd structures, because in this case 
the decryption algorithm (i.e. computing X = F^Q) is the same as the encryption 
algorithm (with the round keys in rovcrso order). It has no meaning in a cryptographic sense. 

IS 

Round function 

Hg, 3 shows an overall block diagram of a preferred exobooxment of the round 
function/. Fiist a part of the round key, of for instance 32 bits, is added to the data bits in step 
310. Next, in step 320, the S-boxes perform a ijon-linear substitution, preferably providing an 

20 optimal (local) resistance against differential and linear cryptanalysis. In addition, preferably 
the non-trivial (local) characteristics with a predetermined maximum probability ate made 
(round) key dependent, as described below in more detail. Finally, in step 330 a linear 
transformation is used to provide a high di ffu si o n over multiple rounds. The method of 
generating such a linear transformation from an error-correcting code will be described in 

25 more detail below. 

The Feistel structure puts no restrictions on the subjectivity of the round 
function. However, preferably the round function is bijecu've for every choice for the fixed 
(round) key. This avoids attacks based on the non-uniformity of the round function. 

Figure 4 provides more details of a preferred arrangement incorporating the S- 

30 boxes. In this exemplary system the round function/is a mapping from Zjs 40 x Z2 32 to Z& 32 . 
The first input argument is the round key Ki e Za 40 , the second one the right half of the 
intermediate result Xu- The output is denoted. by /(Ki, Xm 00 ) S Z2 32 . In this figure, Ki a) e 
Z2 32 and Kt^s Z2 8 are defined as Ki =: (Ki fl) || Ki®). In step 3 10, the key addition takes 
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place, followed in step 320 by a key dependent Substitution box (S-box) layer. In ibis 

example, the S-box layer consists of eight smaller S-boxes (So, Si, Sa S 7 ), each operating 

on 1/8 of the data block. The S-box transformation is a mapping from Z2 8 x Z2 93 to Z^ 34 , the 
first input argument in round i is the round keyKi®, the second one the result of the key 
addition, i.e. © Kj (1) . The 32 bit output of the S-box transformation is denoted by 
SCKi®, Xm w © X*®). A description of this mapping will bo given below. Finally, in step 330 
the linear transformation from Za M to Z2 32 is applied. The input is S®^ 9 , Xm w ® Ki a) ), its 
output is denoted by LG3(& W , Xm™ 9 Kf 1 *)). With this notation the function/is given by: 
Mi, Xti^ = US^, Xt^ © Ki (1> )). 

S-boxes 

In principle any suitable S-box layer may be used in the block cipher. In a 
preferred embodiment described here, each S-box operates on a 4-bit sub-block. It will be 
appreciated that also sub-blocks of other sizes can bo used. Preferably, for each S-box a set of 
at least two predetermined permutations is used, where each time before using the S-box one 

1 

of these permutations is selected in a (pseudorandom manner. Preferably, the round key is 
used for this selection. In a preferred embodiment, each S-box is associated with two 
permutations, where one predetmrdned bit of the round key is used to select which of both 
permutations is used Using relatively small S-boxes, such as ones operating on 4-bit sub- 
blocks, will normally require a row of parallel S-boxes, each being associated with a 
respective set of at least two non-linear permutations. 

Figure 4 illustrates a preferred embodiment of a block cipher operating on 32- 
bit blocks and using 4-bit S-boxes, resulting in eight S-boxes used in parallel, each of which 
consists of two permutations. For this embodiment the following notation is used Let the bits 
in the first input argument Ki® of the S-box transformation be denoted by 0 = 0,1, ...,7), 
i.e. Ki® =: Ckb w , ki®, ... , )&,®). The vectors Nj w 6 Z2 4 (j = 0,1, .. ,7) are defined as Xm 09 ® 
Ki a) =: (No® || Ni^ 1| ... || N7®). The S-box mapping consists of a concatenation of eight 
mappings S i : Zj x Za*-> Z2 4 <j » 0,1,...,7). The first input argument is the key bit kj®, which 
selects which of the two permutations for Sj is used. The second input argument is Nj (i) , 
which is the input for the selected 4-bit permutation for Sj. The corresponding 4-bit output of 
this permutation is also the output of the S-box, and is denoted by Sj(k/°, Nj®). With this 
notation the function S is given by: 

S(Ki® Xi.i<*> O *®> * ( So(ko°l No®) || S^, Nft || ... H S-jfa® N 7 (i) ) ). 
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Any suitable S~box layer may be used. Preferably, S-boxes according to the co-pending • 
patent application FHNU)Q0365 Q2P . .« .) are used* 



After the S-box substitution function, a linear transformation L is performed, 
fc the preferred embodiment wim 32-bit suVb^ 
preferred S-box construction, the input for this linear tansfonnattan is the vector 
S(& w , Xt4 W © Ki 0> ). The coordinates of this vector Witt be denoted by yj® (j ■ 0,1, ...,31), 

' — 92x32 

10 vector-matrix multiplication, the matrix is denoted by A € 

Constructing the linear trairsformation matrix 
IS The linear traarformation L, defined by L(x) * xA, is constructed to meet the 

following design criteria: 

1. linearity over Z 2 . : 

2. mvertibility, i.e. the matrix A is rum-singular over Z* 

3. high diffusion properties. 

20 The construction of the function' L is based on binary linear error-correcting 

codes. The maiwtag Us idmt^^ 
errc^orrectir^ 

x corresponds to the input for L, while tie righi half x A corresponds to the onto*. Note mat 
design criteria <i) is rtitfloft for all binary error-coxreoting code* while (ii) is satisfied if and 
25 only if A is non-singular over Z* Notice also that criteria (nO can be expressed in terms of 
the minimum Hamming weight of the codewords; the higher this minimum distance, the 

better the diffusion properties. 

The construction of A will be illustrated for 32 bit blocks (i.e. k - 32 and A s 
Z/ 2 ** 2 ) and uses a binary extended Bose^haudhuri-Hocquenshern (XBCH) code as a 
30 starting point for the ctmrtruction of a [64,32] code with tmnimum Hamming distance equal 
to 12. It is well-known that such a code is optimal, i.e. any binary [64,32] code has nrinimum 
distance smaller or equal to 12. This implies that the minimum Hamming weight of any non- 
zero codeword is at least 12, since the code is linear. Note that this means that the diffusion 
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properties of the mapping Late optimal at bit-level, in the sense that (small) changes in the 
input of t bits (t > 0) imply a change of at least inax{0,12 - 1} bits in the output 

The generator matrix for the binary [64,32,12] coda containing the matrix A ia 
constructed as follows, aa illustrated in figure 5: 

01) la step 510 a generator matrix Q* 1 in standard fomi (i.e. G M = (1^ || B ) with B 
Z2 33 * 38 ) is tatoan that corresponds to the binary linear error-correcting code. Such a 
generator matrix G* ' is preferably constructed in the following way, starting from a Bose- 
Chaudhuri-Hocquenghem (BCH) code; 

(a) In step 512, a generator matrix O e Z2 36 * 63 is constructed for the binary [63,36,11] 
BCH code with generator polynomial g(x) :=s x 27 + x 22 + x 21 + x 19 + x 18 + x 17 + X w + 
x 8 + x 4 + x + 1, where row j 0 = 0,1, ... ,35) of G corresponds to the polynomial 
g(x). More precisely, if g(x) ~: £2-0,1, „. & gpf with gi e Z21 the first row of the matrix 
is given by (go, gi, g2, ... ,g27»0,0, ... ,0) e Z2 63 . Row j of the generator matrix (j b 1,2, 
... ,35) is given by a cyclic shift to the right of this first row over j positions. 

(b) In step 514, this code is shortened to a [59,32,11] code by deleting the last four rows 
and columns of Q 9 

(c) In step 518, this shortened code is extended to a [60,32,12] code by adding a parity 
check symbol to each codeword. Note that by adding a parity check, the addition of 
one column results in an increase of the minimum distance. The 32x60 generator 
matrix for this [6032,12] code is denoted by G\ 

(d) In step 520, a Gauss elimination is 

in standard form, i.e. G> > = ( I32 1| B ) with B e Z 2 32x2S . Note that this is a generator 
matrix for a shortened [60, 32, 12] XBGH code, 
(ii) Extend B with four columns such that the resulting matrix C e Za 32x32 is non-singular 
over Zj*. Preferably the four columns are (pseudo-)randomly selected: 

(a) create four columns each with 32 (pseudo-)randomly selected binary elements, 

(b) create a test matrix by extending B witk the four new columns (in itself the oolumn 
position of the newly added columns is not important) 

(c) check whether the test matrix is invertible. For this test any suitable method may bo 
used, e.g. a method based on Gauss elimination. 

(d) if so, stop the process (a matrix has been found), otherwise restart by generating at 
least one new column. 

It will be appreciated that instead of using a random creation process the elements of 
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the four columns may also be generated in any other suitable way. 

Due to the construction of the rofcmd function with the multi-bit S-boxes, also 
good diffusion properties on this multi-bit level axe desirable. For four-bit S-boxes, this can 
S bo expressed as follows (variations for omer number of bits fall well within the skills of 
persons skilled in the art). If the 4-bit vectors ni (i o o,i, ... ,7) of a codeword c e Zj 32 are 
defined as c =:(no || m || ... || m) then the nibble Weight of c is defined as NW(c) ;=#{ i || m * 
(0,0,0,0), i = 0,1, ... ,7)}. The diffusion properties on nibble-level oan be expressed in terms 
of the fflinimnm nibble weight over all non-geno codewords; thft higher this rnfrnimgr p weight 

10 the better the diffusion properties on nibble-level. To achieve a high diffusion at multi-bit 
level (in the example, at nibble level), in step 530, two permutation matrices Pi J?a € Z2 32x3a 
are selected such that all codewords in the [64,32,12] code with generator matrix 
( 1 1| Pi C P 2 ) have a high nibble weight. The finally found matrix A:»PiC Pa is used for the 
linear transformation. In a preferred embodiment the permutation matrices Pi and Pa are 

IS (pseudo-) randomly generated It can be verified that the minimum nibble weight of the code 
generated by ( I ]| A ) equals seven. 

The rows of a linear transformation matrix A generated in this way are given 
in the following table (ao is the first row, ai the second, ... , asi the last). Nate that the vector- 
matrix product corresponds to an XOR of the rows a* for which yk Cl) = 1 (k= 0,1, ...,31). 

20 
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Comparison with MDS code 

1 

The use of linear transformations based an an MDS code in syrnmetric-key 
ciphers is known from S. Vaudanay, "On the Need for Multi-Permutations; Cryptanalysia of 
25 MD4 and SAFER", Fast Software Encryption (2 nd ), LNCS 1008, Springer, 1995, pp. 286- 



'PHINLUU0444EPP ■ 

11 034)8-2000 
297. The following table compares the nibble Wiaight distribution of the construction aged in 
XBCH based matrix according to the invention'to the (nibble) wdght distribution of the 
MDS code. The cutties represent the number of non-zero codewords with the given nibble 
weight 



Nibble weight 


XBCH 


MDS 


7 


428 


0 


8 


7783 


0 


9 


102440 


171600 


10 


1075180 


840840 


11 


8794864 


9238320 


12 


54987542 


54463500 


13 


253742392 


254142000 


14 


815652460 


815459400 


15 


1631276420 . 


1631330640 


16 


1529327786 ' 


1529320995 



5 

As can be seen from this table, the nibble weight distributions of the two constructions are 
very similar. The minimum nibble weight of the XBCH construction is only two less than the 
minimum weight of the MDS construction, which can be shown to be optimal with respect 
this criterion. However, the MDS constructionihas the disadvantage that it contains additional 
10 mathematical structure, such as the linearity over (sub-fields of) F 16 of the associated linear 
transformation, which could be exploited in the cryptanalysis of die block cipher. E.g. one 
could describe the S-boxes (and consequently the complete block cipher) by mappings from 
Fi<s— » Fis. Moreover, the construction described in this document guarantees optimal 
diffusion on bit-level. 
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1. A method of generating a linear transformation matrix A for use in a 

sj|mrnerric-key cipher, the method including; 

generating a binary [n&d] error-correcting code, represented, by a generator 
rrJatrixGe Z^in a standard form Q» & || B), with B e I****, where k<n< 2k, andd 
5 is|the minimum distance of the binary exror^ofrcoting code; 

extending matrix B With Ztc-n columns such that a resulting matrix C is non- 
sijugular, and 

deriving matrix A from matrix C 

10 2 A method as claimed in claim 1, whereto the step of extending matrix B with 

2 c-n columns includes: 
ii , an iterative manner. 

(pBeudo~)randomly generating 2k-n columns, each with k binary elements; 
forming a test matrix consisting of the n-k columns of B and the 2k-n 
15 gsnerated columns; and 

c h ec kin g whether the test matrix is non-singular, 
until a non-singular test matrix has been found; and 
using the found test matrix as matrix C. 

20 3. A method as claimed in claim 1, wherein the step of deriving matrix A from 

matrix C includes: 

detennining two permutation matrices PiJ*2 e Z2"* 1 such that all codewords in 
a 11 [2k,k,d] error-correcting code, represented by the generator matrix ( I j| Pi C P a ), have a 
p redetermined multi-bit weight; and 
25 - using Pj C P 2 as matrix A. 



A method as claimed in claim 3, wherein the cipher includes a round function 
With an S-box layer with S-boxes operating on m-bit sub-blocks, and the minimum 
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redetermined multi-bit weight over all non-zefo codewords equals a predetermined m-hii 
weight 

S. a method as claimed in claim 3, : wherein the step of determining the two 

5 permutation matrices Pi and P2 includes iteratively generating the matrices in a (pseudo-) 
random manner. 

6 A method as claimed in claim 1, wherein the cipher includes a round function 

operating on 32-bit blocks and wherein the step of generating a {n&dj error-correcting code 
10 includes: 

generating a binary extended Bpse-Chaudhuri-Hocquengheni (XBCH) [64, 
36, 12] code; and 

shortening mis code to a [60, 32, 12] shortened XBCH code by deleting four 

rows. 

15 

7. A computer program product, wherein the program product is operative to 
cause a processor to perform Ate method of claim L 

t 

8, A system for cryptographically ponverting an input data block into an output 
20 data block; the data blocks comprising n data bits; the system including: 

an input for receiving the input data block; 

a storage for storing a linear transformation matrix A, generated according to 

the method of claim 1, 

a cryptographic processor perforating a linear transformation on the input data 
25 block or a derivative of die input data block using the linear transformation matrix A; and 
an output for outputting the proteased input data block.. 



ABSTRACT: 



14 



O3-OS-2000 



A method of generating a linear transformation marrix A for use In a 
symmetric-key Cipher includes generating a binary [n,k,d] ezror-cotxeetuig code, where k<n 
< 2k, and d is the TmniTwim distance of the binary esror-coixectirig code. The code is 
represented by a generator matrix O 6 Za** 1 in 'a standard form G = || B), with B e Zi^*" 
5 Hie matrix B is extended with 2k-n columns such that a resulting matrix C is non-singular. 
The linear traiisformation matrix A is derived from marrix C. Preferably, the error correcting 
code is based on an XBCH code. 
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